With the evolution of medical care and the increased use of electronic medical records, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in order to provide national standards for the exchange, privacy and security of patients' health information. The most important aspects of HIPAA for healthcare consumers relates to their privacy rights, their right to access their medical records, and their right to seek the correction of medical records.
Protected health information (PHI) is individually identifiable health information held or transmitted by the provider, without regard to the form of the information. PHI may be in the form of records and communication on printed paper, electronic messages and files, and spoken communication.
A patient's PHI includes the patient's name, date of birth, Social Security Number, identifying information about the patient's medical devices, and full-face photographs. PHI also includes individually identifiable health information that relates to a patient's past, present or future physical or mental health or condition, provision of healthcare services, or payment for care.
With the implementation of HIPAA, healthcare providers must take care to properly protect patients' health information, both when receiving that information and when sharing it with others. For example, providers should:
- be aware of who has access to computer terminals through which PHI can be accessed, and should have protocols for logging out and timing out of terminals.
- make healthcare providers and other employees aware of the need to shield records from the view of other people, including other employees who don't have the need to access a patient's records.
- take care not to discuss PHI with others, in person or over the phone, within the potential earshot of people who are not authorized to receive that information.
- ensure that no PHI is disclosed when they dispose of records or media that was used to store patient information.
- implement security systems for the remote access of PHI, or for PHI that is contained on portable computers or computer media.
When you obtain treatment from a medical or dental healthcare provider, the provider should give you a form explaining your privacy rights under HIPAA. The provider will ask you to sign a document acknowledging that you have received a copy of the document.
Your signature simply acknowledges that you have received the information. Your healthcare provider may not require your signature on the form as a prerequisite for treating you.
The form should identify a person to whom you can direct questions about HIPAA and the provider's treatment of your protected health information (PHI), or to whom you can direct any complaints you may have about the policies.
In broad terms, a healthcare provider may disclose a patient's PHI, without approval, under the following circumstances:
To the individual who is the subject of the information;
By the provider for purposes of its own treatment, payment and health care operation activities.
With the patient's consent, or within the scope of reasonable professional judgment when the patient is incapacitated, for facility directories and for notification to persons involved in the individual's care or payment for care.
Where the disclosure is incidental to an authorized communication, as long as reasonable safeguards are in effect and the information shared was limited to the minimum necessary standard -- that is, that the provider limit disclosure to the minimum necessary to accomplish the intended purpose disclosure.
For the public interest and benefit. Certain information may be disclosed, for example, pursuant to law, court order, as a matter of public health, pursuant to mandatory reporting laws for abuse and domestic violence, for judicial, administrative and health oversight proceedings, for law enforcement purposes, due to a serious threat to health or safety, for essential government functions, for certain types of research, for a deceased patient where information is needed by a funeral director, coroner or medical examiner to perform their legal function, for tissue and organ donation, or for workers' compensation.
A limited data set, with certain direct identifiers removed, may be used and shared for certain research, health care, and public health purposes.
The restrictions on the use of PHI are complex, and this list of exceptions is a starting point for understanding how your information may be lawfully used. If you are concerned with how your healthcare provider may be using your PHI, you should discuss your concerns with your provider.
Under HIPAA, patients have the right to see and receive a copy of their medical records, including both paper and electronic records. The patient may request that the documents be provided in a specific format, such as in the form of a computer file. If the date is not readily available in the requested, and the patient and provider cannot agree on an alternate format, the provider is to give the patient a hard copy of the records. A patient may request that the records be provided to a third party.
The provider may charge a reasonable fee for providing the records, and the fee can be based upon such factors as the cost of supplies, staff time and, if applicable, mailing costs. Some states limit what providers may charge for copies of medical records. Those state limits apply only if they are lower than the reasonable cost-based fee required by HIPAA.
A copy of the requested records must normally be produced within thirty days of the patient's request. The provider may obtain one thirty-day extension by providing written notice to the patient stating the reasons for the delay and the date upon which the provider expects to produce the records.
Exceptions from Disclosure
Psychotherapy notes are not ordinarily subject to disclosure under HIPAA. Similarly, documents prepared by the provider for purposes of legal proceedings will not ordinarily be subject to disclosure.
Additional exceptions to access to PHI may arise in the context of requests by inmates in the custody of correctional institutions, PHI prepared for purposes of research when the research is not yet complete, where the federal Privacy act limits disclosure, or where the information was obtained by the healthcare provider under a promise of confidentiality where disclosure is likely to reveal the source of the information.
Patients who review their medical records and find information that they believe to be inaccurate may file with the provider a written request that the record be corrected. The provider has sixty days to respond to the request, but may take up to an additional thirty days if it informs the patient in writing of the reasons for the delay and the date when the review is expected to be completed. The provider does not have to delete information from the medical record in order to add a correction.
If the provider denies a request to correct a medical record, it must provide written notice of its decision to the patient explaining:
The basis for the denial of the patient's request;
That the patient has the right to submit a written statement disagreeing with the denial;
That the patient may require the provider to provide the request for amendment and a copy of the denial with any future disclosures that pertain to the request; and
How the patient may complain about the denial.
Although HIPAA does not provide patients with a remedy in the event that a healthcare provider violates the patient's privacy rights, the law can result in significant penalties for providers who fail to comply with the law. Most healthcare providers take compliance very seriously, and will investigate reports of violations of patients' privacy rights in order to determine if a violation occurred and to take corrective action. The HIPAA information sheet issued to patients by the provider should identify the appropriate person to whom to make complaints.
Any person may also file a HIPAA complaint through the Department of Health and Human services. Instructions for making a complaint are available online.